Change8

v2.0.3

Breaking Changes
📦 vaultView on GitHub →
1 breaking5 features🐛 8 fixes🔧 18 symbols

Summary

This release introduces beta support for AI Agents and enhances security and ACL enforcement, particularly around LIST operations with trailing slashes. It also includes various bug fixes and enterprise improvements across authentication, secrets engines, and storage.

⚠️ Breaking Changes

  • LIST ACL requests with a trailing slash now correctly respect more-specific deny policies. Policies relying on the previous (incorrect) behavior where a deny on `path "kv/*" { deny }` could be bypassed for `LIST kv/private/` if a broader allow `path "kv/*"` also existed may now be denied.

Migration Steps

  1. Review ACL policies if they rely on the previous behavior where LIST requests with a trailing slash could bypass specific deny rules.

✨ New Features

  • Added beta support for first-class AI agents, including an Agent Registry.
  • Added support for using Vault as an OAuth resource server for registered agent entities, allowing OAuth 2.0 JWTs for direct authorization without a Vault token.
  • Added a new `sys/billing/config` endpoint to allow configuration of billing data retention (min 13 months, max 6 years).
  • Make deadlock detection in sealwrap configurable by adding "sealwrap" to existing configuration detect_deadlocks (Enterprise).
  • Update PATCH operations on scim/v2/Users to allow multiple modifications in the same patch call, support for patch operations on user metadata and name in addition to active status, and allow specifying `path` value in patch operations (Enterprise).

🐛 Bug Fixes

  • Fix LIST ACL bypass where a trailing-slash request could skip a more-specific deny rule.
  • Fix storage routing for local mounts in namespaces to prevent metadata replication and ensure GDPR compliance.
  • Fix a bug in KMIP (Enterprise) that prevents the legacy CA from working on a named listener.
  • Fix GCP Secret Manager replication policy persistence across Vault restarts (Enterprise).
  • Deregister stale TLS configurations when MySQL connection TLS settings change or the connection is closed in `secrets/database/mssql`, preventing retained certificate pools from accumulating.
  • Fix PKI certificate issuance `not_after` time to respect max TTL.
  • Add managed key support to Transit rewrap endpoint.
  • Reject `performance_multiplier` values less than or equal to zero in storage/raft.

Affected Symbols